The Ultimate Wifi Stealing Setup

With my departure date from Nowhere, Appalachia rapidly approaching, I decided it would be a good idea to make sure I can always have internet access in my RV. I will cover the system setup from start to finish. I'm assuming that you have basic technical competence here, including basic Linux competence.
What it does

You are sitting in your RV/van/whatever. You have a local wifi network named 'Jupiter.' When you connect to it, you almost always have access to the internet. Under the hood, a microcontroller is continuously searching for and connecting to any open access points within range of your extremely powerful antenna, then bridging that connection through it's own AP. It can connect to any open AP within 200-2,750 ft depending on the terrain.

There is a network drive on the local wifi network that always has the latest episodes of TV shows, movies, games, and whatever else you want. Under the hood, the media server is leveraging it's constant connection to torrent whatever you need.

Important notes:

This setup has a total power of 60dBm, which is roughly 225x more powerful than ALFA RV repeater bundles

This is completely illegal. The setup FAR exceeds FCC regulations for maximum ERP (36dBm), almost 100 times over. But who gives a shit?

The amplifier will flood the licensed spectrum @ 1.7ghz. If you park near a runway you will interfere with aircraft navigation systems. So don't do that.

Power consumption should be no more than 17.5W AC. If your inverter has 90% efficiency this is 19.25W DC. I'll save you the math, if you're running it 24/7 this is 462Wh per day.

What you need

Raspberry Pi

You need a Raspberry Pi. It's essentially a teeny tiny computer that is usually used for robotics. I recommend this kit for getting started easily.

You will need an SD card to go with it, I got this one. If you don't have an SD slot on your computer, you will also need a USB->SD adapter.

If you're on Windows, you will need an extra HDMI cable, display, and keyboard laying around to configure the Pi's wifi connection before you can SSH into the Pi over WLAN. If you're on Linux, you can do this by editing the root partition directly (reason being the filesystem is ext4, which linux can read and Windows can't)

Note to those who would buy a cheap chinese SD card:
Everyone likes to save money. I've been a techno-nerd for a very long time, please just believe me when I say that you should not buy a cheapo $5 Chinese SD card. It will fail in a couple of weeks at best, if it was even a real SD card when you got it - and if it was, it's probably 1GB instead of 32.

Antenna

There are two types of antennas: directional and omnidirectional. An omnidirectional antenna is what you are already using with all of your electronics. It can pickup RF from a 360* radius on it's vertical plane. These are not ideal for this application, but they are easier to use as they don't require aiming the antenna.

Nerd info:Something interesting to note here: in practice, a directional antenna functions as a wide-beam attenuator, narrow-beam antenna. As you step up the dBi of the directional antenna, the precision required for aiming the antenna increases (how much varies based on design.) In terms of real-world application, the inverse is true for omnidirectional antennas: they become less accurate; the higher you go, the tighter the vertical plane. When you get a bigass omnidirectional antenna, it is wholly possible that you will have poor signal reception due to a difference of less than 20ft in elevation at a distance of 100ft. For this reason omni antennas are not good for long-distance applications.

Simply:
An omnidirectional antenna will be much more expensive and significantly hurt your range and ability to connect to wifi networks based on geography. I don't recommend it. However, it will make this setup fully automated as-is, with no antenna-aiming required.

If you absolutely must because you're a total lazy-ass (read: like me), I would get this omnidirectional antenna: 12dBi TP-Link Omni Antenna - $40 - It's worth noting that their 15dBi model is only $10 more, but is known to have significant QC issues compared to the 12dBi antenna. The 15dBi one is not worth $50.

Warning: You will get fucked if you buy a cheap antenna from China. Antennas are very sensitive and require good QC. Chinese products have no/very little QC which is part of why they're so cheap.

2.4ghz Amplifier

You will need a 2.4ghz amplifier. This is where the licensed spectrum flooding comes from. It's a cheap-ass made in china amplifier - it says that it's FCC approved but it is absolutely not. However, it does actually amplify it's transmission circuit to 36dBm (4 watts) which is all that we need it to do:

Note: If you have anything other than the Raspberry Pi 3 which I linked above (Zero, 2, model A, whatever) you will need TWO wifi cards, one of which must support AP mode. That's because we're using the Pi 3's onboard wifi chipset for the access point.

Go ahead and pickup the ALFA 036H - $32 - this is what I have and it works for our purposes. You might be able to get something that's decent cheaper, just make sure that it supports monitor mode

Optional

I am going to update this later when I have my system fully setup. For those who are interested, I will be using a DC stepper motor and an L298N motor controller to rotate the directional antenna. It will be controlled by the software that finds the wifi networks. This will elevate the entire system to complete automation w/ the directional antenna. I will do a full write-up when I'm done with that.

Setting everything up

Antenna, amplifier, pi, cards

Plug your ALFA into one of the Raspberry Pi's USB ports. Unscrew the antenna that comes on the ALFA (if it's screwed on), and screw on the connecting cable from the amplifier. Pay special attention to the stickers on the bottom of the amplifier which say "to router" - that's the side you want to screw it into. The Raspberry Pi is your "router". Screw your antenna into the opposite side of the amplifier.

So it should go like this: Pi->Alfa->Amplifier->Antenna

The amplifier comes with a 110V plug because it requires it's own power source.

Plug your SD card into your computer. Using Etcher if you're on Windows or `dd` if you're on Linux, flash the latest Raspbian Lite image to the SD card. On the boot partition (/boot), create an empty file named 'ssh' with no file extension.

If you're on Linux, you can skip all of this and configure the image directly then SSH into the pi over wifi by adding the appropriate information to /etc/network/interfaces & /etc/wpa_supplicant/wpa_supplicant.conf

After you've flashed the sd card, put it in the Pi. Plug your monitor and keyboard into the Pi. Plug the amplifier in. Plug your Raspberry Pi in. When the Raspberry Pi boots up, you should be greeted by a CLI login prompt, familiar to any linux user. Enter the username 'pi', and the password 'raspberry'.

Now you can SSH into the Pi on your local wifi network. For Windows, use PuTTY. You can find the Pi's IP either through your router's DHCP table or by using nmap and finding the MAC address that matches the vendor "Raspberry Pi Foundation"

Automatic SetupHere is a script I threw together that should setup everything automatically. After you setup your wifi connection, it will setup everything except Deluge. If you want to go that route, enter the following commands:
sudo wget pastebin.com/raw/dYj93CsV -O /root/setup.sh
cd /root && chmod +x setup.sh && sudo ./setup.sh

If that causes you any issues, move onto the manual setup. Otherwise, skip down to Deluge

Manual Setup

You need to install a few packages:

sudo apt-get install hostapd hostapd-utils dnsmasq rfkill python-pip

Then we're going to configure hostapd. By default, it starts via init.d, which is not functional. To begin with, we must remove it from rc.d, and delete the if-pre-up.d symlink:

sudo update-rc.d hostapd remove && sudo rm /etc/if-pre-up.d/hostapd

Next, we're going to go to our /etc/network/interfaces file and make the the following modifications. Delete everything in the file and replace it with this:

I'm not really sure why but for hostapd to work correctly the interface needs to be brought down and back up before hostapd is started. This is triggered by post-up in our interfaces file, then it will start hostapd.

This will properly forward all traffic between wlan0 and wlan1. Important for captive portal hotspots. Save this config with:

iptables save

Now run:

sudo reboot

And when the raspberry pi comes back up, you should see a new wifi hotspot - Jupiter. Connect to it, and ssh into it from your computer. The local IP of the Pi will be 192.168.42.1. It should already be connected to your local wifi network via the wlan1 interface, eg. you should have internet access already when you connect to the Pi's AP on your computer.

That's all there is to it. You've fully setup everything on the hardware side of things. Now onto the software.

You must be connected to the Pi's wifi network. SSH into the Pi and we'll be good to go.

Run the following command:

sudo apt-get install samba

When it finishes, you have to setup a username/password for it:

sudo smbpasswd -a pi

It will prompt you to enter the password (quirk of linux security: it will not display stars or anything at all, but the password is being entered)

Now we need to create our storage folder with the appropriate permissions:

sudo mkdir /sambasudo chown pi /sambasudo chown i /samba

Note: If you have an external HDD/SDD you would like to use for additional storage, you can mount it to /samba and make that alteration permanent by adding the mount to /etc/fstab - if anyone needs clarification let me know

In windows, we can automatically locate the network share by enabling network discovery:

After you give it a moment, you can open your file explorer and navigate to the 'Network' tab, where you will find '<HOSTNAME>' (mine is bandit, the default is Raspberry):

Note: If you would like to change your pi's hostname, just run raspi-config again and find the option for setting the hostname, then reboot the pi with `sudo reboot`

In linux the network share will be found via smb://192.168.42.1/samba

Setting up Deluge

Now we need to setup the torrent client. This will allow us to automatically download new episodes of TV shows to our network share. Begin by installing deluge's daemon and web UI:sudo apt-get install deluged deluge-web deluge-console

Now we will temporarily start the daemon so that it creates all of the config files. Run:

deluged

Then:

killall deluged

Now we need to add a username/password to the deluged client. This won't be used necessarily but it's good to have on hand in case you ever decide to use the straight GUI version instead of the Web UI. Replace the italics:

If you're on Windows, open a command prompt as administrator. Hit your Windows key, type 'cmd', right click on 'Command Prompt' and select 'Run as Administrator'

Now type the following in your Windows command prompt. Change "torrent.bandit" to whatever you want - this is the address that will be redirecting you to your torrent client (ie. "http://torrent.bandit" instead of "http://192.168.42.1:8112"):

Restart your Windows computer. When you open a browser and type "torrent.bandit" in the address bar, it should redirect you to your Deluge Web UI:

You will be prompted for a password, enter 'deluge'. You will be prompted to change your password. Select yes. Enter your new password twice in the settings window, then hit the 'change' button beneath it.

If your browser is annoying you about SSL, we can fix that quickly. Let's create a self signed certificate. Run the following command:

Aw thanks buddy It's all done for now. Just need to get RSS feeds working w/ FlexGet.

Next thing to add is gaining access to passworded networks. Cracking WPA2 is an expensive pain in the ass, so instead, if the python program is unable to find an open network, and a passworded one is in range, it will DoS them off their own network, force them to connect to a mirrored AP (our wlan1), then serve them a page asking for their wifi password, under the guise of a router problem or something.

That just depends on how much money I'm left with when I'm done with the engine. I might have to go with a cheaper antenna. The problem is that with the parabola, I would need two stepper motors - one at about 2.5Nm of torque, the other at 8Nm. It has to be really slow for scanning, but it does need to eventually decide which network to be on; a 180* turn on the horizontal axis with cheaper/shitty motors at 0.2nm / 0.1cm/s2 would take a while... too long for my impatient ass. And a stepper motor with >=8Nm of torque is really expensive, probably over $100.

Meanwhile, the yagi needs a modest 1.2Nm of torque. The stepper for that would probably be about $30 instead. I could go without a dual-axis design there, since the yagi has 35* on it's vertical plane.

Semi-retired traveler

on a side note, i'm currently testing two different kinds of wifi extenders that fit in your pocket. i'll probably make up a video about those later, they're pretty interesting, but i need to do more testing since i'm having trouble with both of them (but that might just be related to the crappy internet here).

Lurker

on a side note, i'm currently testing two different kinds of wifi extenders that fit in your pocket. i'll probably make up a video about those later, they're pretty interesting, but i need to do more testing since i'm having trouble with both of them (but that might just be related to the crappy internet here).

the other is a mini travel router the hootoo travelmate elite. just a little box that plugs into the wall and it can either plug into ethernet and share it wirelessly or act as a bridge to another wireless point.

Lurker

This is pretty neat. So it is a Raspberry Pi with a huge antenna that connects to open points within ~2700 ft? ..Out of curiosity, how often are you able to succeed in finding open access points in this range?

Your evil twin attack is cool. The thing is you have to take different approaches for different types of routers. .Have you looked into Reaver? If you have all your ducks in a row this does the trick:

People say pixiedust brings lots of success. Really depends on the router. The idea of a van with a giant antenna that is attacking access points is mindboggling to me. It could work.

I have been interested in the subject as well, because my local internet provider generates passwords with a simple algorithm.. like "rustyskates411" or "largepotato878". Conventional math says cracking a password like that character-by-character would take millions of years. However it seems there are ways to reduce that time significantly.

the other is a mini travel router the hootoo travelmate elite. just a little box that plugs into the wall and it can either plug into ethernet and share it wirelessly or act as a bridge to another wireless point.

That's a good adapter, I'm a big fan of the 036H. It has the RTL8187L chipset, which is the only chipset that realtek ever made that's actually on par with the best. Also, you can run that thing at 2 watts without overheating issues. Or at least I never had any.

Odd that the hootoo doesn't have technical specs anywhere. I would be interested to know how it performs once you've gotten a chance to test it out a little more

This is pretty neat. So it is a Raspberry Pi with a huge antenna that connects to open points within ~2700 ft? ..Out of curiosity, how often are you able to succeed in finding open access points in this range?

Your evil twin attack is cool. The thing is you have to take different approaches for different types of routers. .Have you looked into Reaver? If you have all your ducks in a row this does the trick:

People say pixiedust brings lots of success. Really depends on the router. The idea of a van with a giant antenna that is attacking access points is mindboggling to me. It could work.

I have been interested in the subject as well, because my local internet provider generates passwords with a simple algorithm.. like "rustyskates411" or "largepotato878". Conventional math says cracking a password like that character-by-character would take millions of years. However it seems there are ways to reduce that time significantly.

Reduce the time significantly, sure. It just depends.. if it's all lowercase "adjective+noun+3#s" It could be brought down to a week with a generated dictionary containing common words. Or maybe a day, assuming the noun/verb combos are very common words. Those 3 digits kill you because you then need 1,000 additional combinations of each adjective/noun combo. If you have a preshared key you can try about 3000 keys per second so you can only do about 3 adjective/noun combinations per second.

Reaver is for WPS (one 4 digit pin, one 3 digit pin), which isn't all that common in my experience.

Pilgrim

Very nice! For those who care, I might mention that at that power there are potential long-term health concerns about the placement of the antenna. You might want to place it as far from people in the vehicle as you can to mitigate that (again, if you care much...not everyone does). It will also build up heat, so take that into account as far as where you place it--wifi is microwave (as I'm sure the OP knows...saying it for anyone who might not). If I were in cities more often, I might have tried your set up on my own rig. As is, I'm usually far enough out that I have to rely on Verizon

Newbie

Wayfarer

I'm about to move into the top story of a 4 story factory space which has line of sight with the downtown area of the town. I was thinking on running an antennae to pickup wifi from the town and get free internet. I started planning something similar to what you wrote and then I found this! no more planning needed. Thanks so much zim.

Edit: Also, you mentioned you were going to try and make the directional antennae rotate using a dc stepper motor and a motor controller. I think that thats over kill and it might be cheaper/more simple to use a geared down dc motor connected to a relay. Making it much simpler/cheaper and I think accomplishing exactly what you want.

The first $50 in donations go towards paying our monthly server fees and adding new features to the website. Once this goal is reached, we'll see about feeding Matt that burrito.

Buy Matt a Beer

$75.00 of $75.00
- reached!

Now that we have the bills paid for this month, let's give Matt a hearty thank you by buying him a drink for all the hard work he's done for StP. Hopefully his will help keep him from going insane after a long day of squishing website bugs.

Feed Matt a Burrito

$85.00 of $100.00

Now that the bills are paid and Matt has a beer in his hand, how about showing him your love by rewarding all his hard work with a big fat burrito to put in his mouth. This will keep him alive while programming new features for the website.

Finance the Shopping Cart

$85.00 of $200.00

Now that the bills are paid and Matt is fed, perhaps it's time to start planning for those twilight years under the bridge... if only he had that golden shopping cart all the oogles are bragging about these days.

Not much interesting to share. I’m a middle-aged guy with a computer/ desk job that dreams about retiring and hitting the open road. Until I can do that — and it’ll be at least 4-5 years — I live vicariously through the adventures of others. But, one day, I’ll be out there with you.